Long story short, since I installed April 2018 updates for my NUC5i5RYH (running Win10 1709 Enterprise edition), the Microsoft powershell cmdlet to check for spectre/meltdown mitigations no longer reports my machine as "protected" (or whatever you want to call it).
Here's the cmdlet snippet:
PS C:\Windows\system32> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629
Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True (I have the patches installed, but i've disabled the software mitigations via the registry keys.)
Windows OS support for branch target injection mitigation is enabled: False (I have the patches installed, but i've disabled the software mitigations via the registry keys.)
Windows OS support for branch target injection mitigation is disabled by system policy: True (I have the patches installed, but i've disabled the software mitigations via the registry keys.)
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: False
* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.
* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : True
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False
My machine is running the 369 version of the BIOS as per the output of this:
PS C:\Windows\system32> wmic bios get smbiosbiosversion
According to the release notes for this BIOS version here: https://downloadmirror.intel.com/27631/eng/RY_0369_ReleaseNotes.pdf https://downloadmirror.intel.com/27631/eng/RY_0369_ReleaseNotes.pdf , it should provide the hardware mitigation the cmdlet is looking for.
I'd like to say that prior to the April 2018 updates the cmdlet reported that hardware mitigation was in place, but I can't be 100% certain since I didn't document it.
(Just in case, here's the link to the get-speculationcontrol thing:
and here's the one to the aforementioned registry keys to disable mitigations at the client OS level:
Questions? Thoughts? Let me know if you need me to provide additional information on this.
Thank you for joining the community.
Could you please help us with the fooling information.
In order to help you better, I would like to gather more information about the configuration you have on the computer. Please attach to this thread the TXT file the Intel® System Support Utility will generate: https://downloadcenter.intel.com/download/25293/Intel-System-Support-Utility https://downloadcenter.intel.com/download/25293/Intel-System-Support-Utility
Steps to save the report:
Could you share with us pictures of the tool with the output informing you that your system is vulnerable?
Please review your private inbox.
Thank you for your waiting.
Allow me to share with you that the BIOS 0369 has the update for the microcode as you have mentioned on your previous post in this case since the tool that you are using is form Microsoft we recommend to contact them in order for them to interpret the output and provide suggestions on how to proceed.
We do not have an official Spectre/Meltdown detection tool yet, thus our official recommendations are provided here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/.